[webkit-changes] [162830] trunk/Source/WebKit2

[carlosgc]

Title: [162830] trunk/Source/WebKit2

Revision

162830

Author

carlo...@webkit.org

Date

2014-01-27 00:27:01 -0800 (Mon, 27 Jan 2014)

Log Message

[SOUP] WebProcess sometimes crashes when a download is cancelled
https://bugs.webkit.org/show_bug.cgi?id=127650

Reviewed by Martin Robinson.

The problem is that when the download is cancelled, the download
manager removes the download from the map and it's deleted. The
Download destructor calls platformInvalidate() that cancels the
resource handle if there's still one. We set to nullptr the
ResourceHandle when the download is cancelled to avoid cancelling
it twice, but it's done after calling Download::didCancel(). It
should be done before, because at that moment, when the download
is deleted, the resource handle pointer is still valid.

* Shared/Downloads/soup/DownloadSoup.cpp:
(WebKit::Download::cancel):

Modified Paths

• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/Shared/Downloads/soup/DownloadSoup.cpp

Diff

Modified: trunk/Source/WebKit2/ChangeLog (162829 => 162830)

--- trunk/Source/WebKit2/ChangeLog	2014-01-27 08:18:51 UTC (rev 162829)
+++ trunk/Source/WebKit2/ChangeLog	2014-01-27 08:27:01 UTC (rev 162830)
@@ -1,3 +1,22 @@
+2014-01-27  Carlos Garcia Campos  <cgar...@igalia.com>
+
+        [SOUP] WebProcess sometimes crashes when a download is cancelled
+        https://bugs.webkit.org/show_bug.cgi?id=127650
+
+        Reviewed by Martin Robinson.
+
+        The problem is that when the download is cancelled, the download
+        manager removes the download from the map and it's deleted. The
+        Download destructor calls platformInvalidate() that cancels the
+        resource handle if there's still one. We set to nullptr the
+        ResourceHandle when the download is cancelled to avoid cancelling
+        it twice, but it's done after calling Download::didCancel(). It
+        should be done before, because at that moment, when the download
+        is deleted, the resource handle pointer is still valid.
+
+        * Shared/Downloads/soup/DownloadSoup.cpp:
+        (WebKit::Download::cancel):
+
 2014-01-25  Sam Weinig  <s...@webkit.org>
 
         Remove unused support for DRAGGABLE_REGION

Modified: trunk/Source/WebKit2/Shared/Downloads/soup/DownloadSoup.cpp (162829 => 162830)

--- trunk/Source/WebKit2/Shared/Downloads/soup/DownloadSoup.cpp	2014-01-27 08:18:51 UTC (rev 162829)
+++ trunk/Source/WebKit2/Shared/Downloads/soup/DownloadSoup.cpp	2014-01-27 08:27:01 UTC (rev 162830)
@@ -233,8 +233,12 @@
 {
     if (!m_resourceHandle)
         return;
-    static_cast<DownloadClient*>(m_downloadClient.get())->cancel(m_resourceHandle.get());
-    m_resourceHandle = 0;
+
+    // Cancelling the download will delete it and platformInvalidate() will be called by the destructor.
+    // So, we need to set m_resourceHandle to nullptr before actually cancelling the download to make sure
+    // it won't be cancelled again by platformInvalidate. See https://bugs.webkit.org/show_bug.cgi?id=127650.
+    RefPtr<ResourceHandle> resourceHandle = m_resourceHandle.release();
+    static_cast<DownloadClient*>(m_downloadClient.get())->cancel(resourceHandle.get());
 }
 
 void Download::platformInvalidate()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes